blob: ce3041385c77a1d6fb45c2cb1d72f7db51473c18 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From 7e7630bbb775573eea2a2335adb9d190c3e1e971 Mon Sep 17 00:00:00 2001
From: Robert Morell <rmorell@nvidia.com>
Date: Wed, 12 Nov 2014 18:51:43 -0800
Subject: [PATCH 32/40] glx: Fix mask truncation in __glXGetAnswerBuffer
[CVE-2014-8093 6/6]
On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
bitwise not operation will result in a mask that clears all high bits
from temp_buf in the expression:
temp_buf = (temp_buf + mask) & ~mask;
Signed-off-by: Robert Morell <rmorell@nvidia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
glx/indirect_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index de81491..9ba2815 100644
--- glx/indirect_util.c
+++ glx/indirect_util.c
@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
void *local_buffer, size_t local_size, unsigned alignment)
{
void *buffer = local_buffer;
- const unsigned mask = alignment - 1;
+ const intptr_t mask = alignment - 1;
if (local_size < required_size) {
size_t worst_case_size;
--
2.1.2
|
